[c-nsp] disable or rate-limit icmp-unreachables IOS-XR
cnsp at marenda.net
cnsp at marenda.net
Wed Jan 20 04:24:16 EST 2021
Hi,
when looking at amsix peering template, I found that generating of icmp
unreachables shall be disabled.
Is that a good idea? Some say it breaks PMTU
(so I am wondering why this was also present in a pppoe virtual-template
just seen on the list here).
Also, several secure-your-network checklists insist on setting it on at
least all external interfaces.
Or rate-limit
RP/0/RSP0/CPU0:ASR9901(config)#icmp ipv4 rate-limit unreachable ?
<1-4294967295> One ICMP unreachable message in x milliseconds(default is
500ms)
DF Fragmentation needed and DF set (code4)
disable Disable rate limit of ICMP messages
RP/0/RSP0/CPU0:ASR9901(config)#
Is this "per chassis" so it will send maximum 2 icmp unreachable messages
per second ?
What is a "good" value to keep things like PMTU working but also the device
happy ? 10ms ?
Thank you for your help,
Jürgen.
More information about the cisco-nsp
mailing list